Trend Micro paid more than US$2m in bug bounties in 2016

Trend Micro's bug bounty programme, the Zero-Day Initiative, paid out more than US$2 million in bounties in 2016 to researchers who submitted details of various flaws to it, the company says.

A company spokesperson told iTWire that ZDI was created to protect the IT ecosystem by compensating independent researchers for submitting their findings. Submissions are used to create filters for the TippingPoint intrusion prevention system (IPS) and privately disclosed to vendors so fixes can be prepared.

The unit was set up at HPE but nothing has changed since it came over to Trend Micro.

"In fact, ZDI has grown and made 2016 our busiest year ever with 674 advisories published and more than US$2 million awarded to researchers," the spokesperson said.

ZDI itself has a handful of analysts reviewing and verifying the submissions, plus a co-ordinator to handle conversations between researchers and vendors.

"Externally, more than 3000 independent researchers from around the world have submitted bugs to ZDI," the spokesperson said.

Trend Micro researchers at this year's Pwn0wn contest.

What kind of processes are undertaken to decide on what people should work?

Researchers choose what they submit to the programme, although we do encourage them to look at widely deployed applications. These are the things attackers are most likely to target, so fixing bugs in these popular programs has a greater impact.

How do outside people get involved?

Interested researchers can submit bugs through the ZDI Secure Portal, which is available here.

What is the timeframe for so-called responsible disclosure?

ZDI provides a 120-day window for vendors to release a patch to address a vulnerability found in their software.

So the ZDI appears to be similar to a bug bounty programme. Would one be right in characterising it that way?

The ZDI is a bug bounty program for rewarding security researchers for responsibly disclosing vulnerabilities. It is the largest vendor-agnostic bug bounty programme.

There are companies like Immunity that find out about vulnerabilities and then tell their clients about it, but do not inform the vendors. Is there ever a chance that Trend Micro would do something like this?

Our programme is designed to work with vendors to correct the vulnerabilities reported to us. It goes against our customer’s best interest to withhold information from vendors.

In terms of ROI, how does the ZDI work out? If you forked out US$2 million plus in 2016, you would need to have made double that to make the venture worthwhile, isn't it?

Due to the shifting marketplace for software bugs, there isn’t a set dollar figure that works for year-over-year comparisons. By providing TippingPoint customers with filters ahead of the vendor-released patch, we provide our customers unique protections from 0-day attacks. The intelligence gained from having these vulnerabilities reported to us is its own ROI.

How does ZDI make contact with the underground - where, it is well-known, some of the more problematic vulnerabilities are discovered? Do you have outside sources on tap whose names are not known to you, yet you work with them because they deliver?

For financial accountability and tax reporting purposes, we need to know who we're sending payments to. For ethical oversight, we need to ensure we're not dealing with known illegal groups. The ZDI does not encourage or promote the violation of licenses or other restrictions applicable to any product.

CDAO SYDNEY TURNS 5 IN 2019

With 50+ Speakers, 300+ senior data and analytics executives, over 3 exciting days you will indulge in all things data and analytics before leaving with strategic takeaways that will catapult you ahead on your journey

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.